On May 22, Cetus Protocol, Sui blockchain's largest decentralised exchange, fell victim to a sophisticated oracle manipulation attack that drained approximately $223 million from 46 different liquidity pools.

"The attacker exploited vulnerabilities in Cetus Protocol's smart contracts by deploying spoof tokens to manipulate price curves and reserve calculations," according to Deddy Lavid, CEO of cybersecurity firm Cyvers.

The hacker created worthless tokens designed specifically to trick Cetus's pricing oracle. By injecting these fake tokens into liquidity pools, they distorted the price feeds that the protocol relied on to value assets.

Once the oracle was compromised, the attacker systematically drained multiple pools, including the critical SUI/USDC pair, of their legitimate assets.

"It's like going to a toy exchange, you bring fake toys that look valuable but are actually worthless, trade them for real toys, and then run," as security expert Manan Vora from Liminal perfectly put it.

The immediate aftermath was brutal.

Within hours of the attack, the Sui Foundation coordinated with network validators to freeze wallets containing stolen funds. A "supermajority validator vote" was secured to essentially ignore transactions from addresses associated with the theft.

The result? $162 million of the stolen $223 million was successfully frozen.

Impressive recovery rate, right? But at what cost?

The swift response has reignited debates about what "decentralised" actually means in practice.

"If validators, 114 only in total, can freeze wallets when they want, it raises a major question about the network's censorship resistance," noted an observer.

It's the age-old blockchain dilemma: security versus true decentralisation. When push comes to shove, which matters more?

"We are doing what we can to help SUI. Not a pleasant situation. Hope everyone stay SAFU!" tweeted Binance founder Changpeng Zhao, weighing in on the issue.

The $6M Bounty

In a move that's become common in crypto, Cetus offered the hacker a $6 million bounty to return the remaining $56.3 million in ETH that had been bridged to Ethereum.

The math is simple: keep $6 million, return $56 million, and everyone walks away.

Whether the hacker takes the deal remains to be seen.

The Cetus hack exposes an uncomfortable reality: when billions are at stake, even "decentralised" networks can act remarkably like traditional financial institutions.